topic Re: port 2122 in Network Security

port 2122

Danny Guillory Jr — Fri, 21 Feb 2020 11:08:30 GMT

I have a pic 506e and i need to open up port 2122 to accept incoming commections to the internal IP of 10.9.2.202 I have posted my config below.

any ideas?

PIX Version 6.3(5)

interface ethernet0 auto

interface ethernet1 auto

nameif ethernet0 outside security0

nameif ethernet1 inside security100

enable password xxx

passwd xxx

hostname ABVALVE

domain-name extechla.com

clock timezone CST -6

clock summer-time CDT recurring

fixup protocol dns maximum-length 512

fixup protocol ftp 21

fixup protocol h323 h225 1720

fixup protocol h323 ras 1718-1719

fixup protocol http 80

fixup protocol icmp error

fixup protocol rsh 514

fixup protocol rtsp 554

fixup protocol sip 5060

fixup protocol sip udp 5060

fixup protocol skinny 2000

fixup protocol smtp 25

fixup protocol sqlnet 1521

fixup protocol tftp 69

names

name 10.9.2.202 E1505

name 10.9.2.252 Printer

access-list outside_acl permit tcp any interface outside eq 3389

access-list outside_acl permit tcp any interface outside eq 5001

no pager

mtu outside 1500

mtu inside 1500

ip address outside dhcp setroute

ip address inside 10.9.2.1 255.255.255.0

ip audit info action alarm

ip audit attack action alarm

pdm location E1505 255.255.255.255 inside

pdm location Printer 255.255.255.255 inside

pdm logging informational 100

pdm history enable

arp timeout 14400

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0 0 0

static (inside,outside) tcp interface 3389 E1505 3389 netmask 255.255.255.255 0 0

static (inside,outside) tcp interface 5001 Printer 5001 netmask 255.255.255.255 0 0

access-group outside_acl in interface outside

timeout xlate 0:05:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00

timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout sip-disconnect 0:02:00 sip-invite 0:03:00

timeout uauth 0:05:00 absolute

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server RADIUS protocol radius

aaa-server RADIUS max-failed-attempts 3

aaa-server RADIUS deadtime 10

aaa-server LOCAL protocol local

http server enable

http 10.9.2.0 255.255.255.0 inside

no snmp-server location

no snmp-server contact

snmp-server community public

no snmp-server enable traps

floodguard enable

telnet 10.9.2.0 255.255.255.0 inside

telnet timeout 60

ssh 0.0.0.0 0.0.0.0 outside

ssh timeout 5

console timeout 0

dhcpd address E1505-10.9.2.250 inside

dhcpd lease 3600

dhcpd ping_timeout 750

dhcpd auto_config outside

dhcpd enable inside

terminal width 200

Cryptochecksum:xxx

: end

Re: port 2122

JORGE RODRIGUEZ — Tue, 02 Dec 2008 17:33:09 GMT

Simple

static (inside,outside) tcp interface 2122 10.9.2.202 2122 netmask 255.255.255.255

access-list outside_acl permit tcp any interface outside eq 2122

access-group outside_acl in interface outside

Re: port 2122

JORGE RODRIGUEZ — Thu, 04 Dec 2008 00:56:42 GMT

Danny, were you able to open up the necesary 2122 tcp port you had asked, just want to make sure you are ok with configuration or if you need more help, just let us know.

Rgds

Jorge

Re: port 2122

Danny Guillory Jr — Thu, 04 Dec 2008 09:30:14 GMT

i understand

this line:

static (inside,outside) tcp interface 2122 10.9.2.202 2122 netmask 255.255.255.255

and this line:

access-list outside_acl permit tcp any interface outside eq 2122

I don't understand

this line:

access-group outside_acl in interface outside

my confusion is: as reading this last line that you are telling the "access-group outside_acl" to use "interface outside" for all the incoming connections... but the rdp port 3389 and the media port 5001 are working even now without this line?

elaborate please...

Re: port 2122

JORGE RODRIGUEZ — Thu, 04 Dec 2008 23:26:57 GMT

When you issue access-group outside_acl in interface outside after the access-list outside_acl permit tcp any interface outside eq 2122, you are applying the newly created line in access list outcide_acl to the outside interface, if you don't apply it the outside interface most likely will not allow tcp 2122 towards the natted address.

3389, 5001 are working because at some point in time the outside_acl access list for those ports were also apply to the outside interface in the same fasion.

Rgds

Jorge